lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 12 Oct 2022 08:52:47 +1300
From:   Paulo Miguel Almeida <>
To:     Kees Cook <>
Subject: Re: [Self-introduction] - Paulo Almeida

On Mon, Oct 10, 2022 at 04:22:48PM -0700, Kees Cook wrote:
> On Sun, Oct 09, 2022 at 07:32:38PM +1300, Paulo Miguel Almeida wrote:
> > My name is Paulo Almeida and as per the instructions listed on the KSPP
> > page, this is my self-introduction email :)
> Hello! Welcome to the circus. :)
Thanks =)

> >   writing a MOS 6502 emulator for the same reason.
> Heh, nice. That made me wonder if there was a QEmu port, but it seems
> it hasn't been touched in a decade?
> Is there a particular 6502 system you're working to emulate?
Yes, there is. I am trying to emulate Ricoh 2A03 (RP2A03). That's the
slightly modified 6502 CPU used in the NES system. It's a really
well-documented platform so I chose that one to dip my toes in writing
virtualisation-related software.

> > I took the Linux Kernel Internals (LF420) and the Linux Kernel Debugging
> > and Security (LF44) courses by the Linux Foundation.
> Cool -- did anything stand out for you in those courses?
I'm easily amused by debugging/instrumentation techniques and the
kernel has so many of them for various specific niches.

What really stood out at the time was learning how versatile ftrace can
be to the point that this "debugging/tracing" utility is one of the main
gears of kernel live patching. Initially it felt wrong but after
wrapping my head around it, that was a very creative solution.

> > As for other experiences, due to the fact that I wrote my hobbyist OS, I
> > do have a decent experience with the x86/x86-64 architecture. I also
> > spent quite sometime writing static analysis parsers.... so should those
> > experiences help anyone or any possible future plan for the KSPP, please
> > count on me.
> Great! One area that needs some review and testing that is x86-specific
> is the userspace CET support[3]. That spans a wide range of from chipset
> all the way up through compiler, kernel, and glibc. Getting more people
> to try that series out and post results ("it works for me" or "I
> couldn't trigger the protection", etc) would be very welcome.
That sounds like it's my cup of tea :) I just finished reading the Intel
CET paper, it's an interesting approach with lots of things to be
tested. Thanks for the recommendation, I will get involved with that. 

> You've already found the "remove the 1-element arrays" work, and there
> are plenty more like that on the issue tracker. Trying to really put an
> end to strlcpy[4] is ongoing[5] too, as there has been a fairly
> concerted effort to remove them lately:
> Count of "git grep strlcpy | wc -l" over recent releases:
>          v5.17:  1535
>          v5.18:  1525
>          v5.19:  1507
>           v6.0:  1379
>         master:   544
>  next-20221010:   401
Fingers crossed! I saw many patches for the strlcpy replacement so you
seem to be well covered for that... I will continue with the one-element
array changes and try to get involved with the support for Intel CET =)

Thanks for all the suggestions Kees!

Paulo A.

Powered by blists - more mailing lists